XSS Dominated websites vulnerabilities

If you are the type of system administrator that loves to keep their computer secure, then have you heard of NoScript? It is a security plug-in in Firefox that was designed to filter Cross Site Scripting (XSS) content and prevent it from running in an accessed webpage. How is this important? Let us elaborate more on XSS...

Cross Site Scripting is the content on a webpage

That tries to access and run scripts that are not located in the same domain of the website you are using. This kind of scripting is very dangerous as content from anywhere could be run on a webpage without the normal end-user knowing. This vulnerability greatly increases the chances that malware get installed on systems and even lead to users personal information being stolen.

Scripts running on local machines can do many things especially if they are given the right user permissions. They could collect information such as the user’s location, the configuration setting of installed programs, and even perform useful tasks like checking whether all the information a user types in a web form is correct. These scripts can also run 3rd party programs like Adobe Reader, and Adobe Flash. In short, if the user had “root” or “administrative” privileges, these Scripts are free to do anything they would like.

One safe example would be the website Facebook. Much of its content and scripts are loaded from other websites or other domains. Although the website can be found in www.facebook.com, much of its content is loaded from fbcdn.net which is its own network.

The problem with XSS is that no ordinary user could filter out which type of content is safe to view. It would take more to learn such things than to learn it yourself, much less a system administrator. Flashblock could be used to stop all flash content from loading in a website. It would be very easy for the user to only load the flash objects they wish to view but it would be extremely difficult to block all scripting content and just allow content you know you could trust.

This is the challenge that the NoScript plug-in presents. It is a wonderful security plug-in made by Firefox to help increase security when accessing web pages. The trouble with this kind of plug-in is that it will hamper websites with very rich content. With NoScript patrolling all the vulnerabilities and making sure that these potential threats are not run on your PC while informing you of its deeds on the status bar; it gives you greater control over the content you run on your computer. It would be rather troublesome if you wished to run all of the content. You would have to approve them all one after the other. One benefit from this would be that you would even learn where most of the content websites you visit actually run from (not that it actually would be of any use). Since the plug-in doesn’t come with a list of “safe” domains, each new user of NoScript has to configure the plug-in from scratch.

It would take a lot of work to use NoScript effectively to combat malicious XSS codes but increased security is well worth it specially if you use the internet for paying bills, doing online banking, and access sensitive information. This gives systems administrators more reason to take the time to learn how to use NoScript.